IEI: Learning to Ward Off Hackers

Wednesday, October 12, 2016 @ 08:10 AM gHale

By Gregory Hale
Hacking into an ICS system is not very difficult for a professional, but having the right technology and the correct mindset can hold off an attacker.

“We are already tooled up to defeat off the shelf defenses,” said Jason Larsen, industrial controls systems principal at IOActive, during his Tuesday keynote at Belden’s IEI Design Seminar in Orlando, FL. “It is surprising the amount of stuff that doesn’t work.”

Larsen is an ethical hacker that focuses on process control systems and he gave the mindset of what it takes to get into a process control system – and from the sounds of it, it is not too difficult.

He talked about one engagement where three guys had one week to get into a system and not only did they succeed, they also found a series of Zero Days.

“It took a little less than a week, we were able to take over the security (system) which gave us full administrative privileges and we were able to take over the plant,” he said.

He said there are four phases to a successful hack:
• Discovery
• Control
• Damage
• Cleanup

The discovery phase takes the most time, he said. This is where the hacker needs to do research. They look up all the press releases of a targeted company, look online at operator’s displays, analyze ladder logic.

“We look at shutdown logic and work our way backward,” he said. “We look at point mappings and other sources of data.”

Another area is the hacker can look up safety guides like the Chemical Safety Board (CSB) or the Occupational Safety and Health Administration (OSHA) among others. They often issue reports on what companies are doing wrong. This way the hacker can learn from it.

Discovery, or research, is important for any hacker. “If you want to be more surgical about it, you have to go through the discovery phase,” Larsen said.

Next up is the control phase. This is understanding that various control surfaces are hooked together in a physics relationship. That means if you go after one area it will affect other areas and it is easy for the potential victim to recognize. Understanding the physics of the process the hacker is going after is important so he or she can actually hide what they are doing. There are two types of problems Larsen said that can occur when going after an ICS. One is a technician problem and the other is an engineering problem. Technician problems are easier to hack into, so they try to keep all issues on that level.

“We attackers want to keep the process up and running so we can learn,” he said.

The next phase Larsen discussed is the damage phase. “The damage phase requires and engineer with subject matter knowledge.”

The hacker looks for a template of events where some kind of accident occurred in the past. This falls in line with a cyber physical attack.

The final stage is the cleanup.

“I just made a mess. Who do I want the investigators to blame? What do I want them to think?” To throw them off, the hacker wants to make the investigators think the problem linked to some other event. One thing could be to tie the timing of a series of attacks into when one person is working a certain shift. Or maybe tie it into a weather event. The smart hacker’s goal is the throw everyone off the scent of his or her trail.

There is always the possibility to skip the cleanup part of the attack, and sometimes groups do that to prove a point.

“In the Ukrainian power grid incident, they skipped the cleanup phase because they were making a political statement,” Larsen said.

“Hacking process control is becoming more mainstream,” Larsen said. “The base floor of hackers are moving into process control.”

From the sounds of it, is it all gloom and doom for manufacturers out there? It could be, but as Larsen said, he knows the normal and regular moves most companies make. To ward off an attack, make the attacker think.

“Do something I can’t predict,” he said. “You can set the rules. As an attacker, I have to play off your rules.”